chore(deps): update dependency opentofu/opentofu to v1.12.1

[renovate]

This PR contains the following updates:

Package	Update	Change
opentofu/opentofu	minor	1.11.3 → 1.12.1

---

Release Notes

opentofu/opentofu (opentofu/opentofu)

v1.12.1

Compare Source

SECURITY ADVISORIES:

• Previous releases in the v1.12 series could be affected by several vulnerabilities:

  • ssh usage through OpenTofu generate hangs or panics.
  • Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

  This is fixed now by (#​4145)

BUG FIXES:

• Address a bug introduced in v1.12.0 causing excessive memory usage by providers. (#​4126)
• Address a bug introduced in v1.12.0 where replace_triggered_by was validated incorrectly. (#​4133
• The Azure key provider will now accept the tenant_id, subscription_id, environment, and metadata_host variables; a bug previously only allowed these to be set through environment variables. (#​4091)

Full Changelog: https://github.com/opentofu/opentofu/blob/v1.12/CHANGELOG.md

v1.12.0

Compare Source

OpenTofu 1.12.0

We're proud to announce that OpenTofu 1.12.0 is now officially available! 🎉

Highlights

This release cycle introduces major new capabilities and integrations:

Dynamic prevent_destroy

OpenTofu v1.12.0 now allows prevent_destroy to be defined dynamically in terms of other values available elsewhere in the same module. For example:

variable "prevent_destroy_database" {
  type    = bool
  default = true
}

resource "example_database" "example" {
  # ...

  lifecycle {
    prevent_destroy = var.prevent_destroy_database
  }
}

Provider Checksum Improvements

The default provider installation behavior in OpenTofu is designed to mostly "just work" by getting the needed providers installed and making the necessary changes to the dependency lock file, but in previous versions friction appeared for any teams using many of the non-default installation settings such as the shared provider plugin cache, or local mirrors of upstream providers.

For OpenTofu v1.12, OpenTofu Registry now provides a full set of official checksums in all of the checksum formats needed by other installation methods. This means that after running tofu init the dependency lock file will immediately have all of the information required to successfully use a global plugin cache directory and to verify matching packages served from a local mirror, without needing to run tofu providers lock separately.

Simultaneous Human-readable and Machine-readable Output

Many OpenTofu commands support both human-oriented UI output and machine-readable JSON output, but previously those commands could be run with only one or the other. This was bothersome for those implementing alternative UIs in terms of the machine-readable output because it meant they would need to implement all possible features of the UI before their tool could actually be used.

OpenTofu v1.12.0 introduces a new option -json-into=FILENAME, which produces the same output format that -json would have produced but sends that output to the given filename instead of to the standard output stream. The OpenTofu UI output then appears on the standard output stream as normal, so that software interpreting the JSON output can behave as just a supplement to the normal UI rather than a complete replacement.

New destroy lifecycle meta-argument

The new destroy = false lifecycle option for managed resources allows removing an object from the state without first destroying the remote object.

Deprecation Notices

WinRM for Provisioners is Now Deprecated

Some of the Go libraries that OpenTofu uses for WinRM connection support in provisioners have become unmaintained over time, and so unfortunately we are phasing out support for WinRM in OpenTofu starting with deprecation warnings in this release.

If your configuration includes a connection block with type = "winrm" then OpenTofu v1.12 will warn that this connection type is deprecated, but provisioning should otherwise still work as it did before.

We intend to remove WinRM support completely in the forthcoming OpenTofu v1.13 series, and so if you are currently relying on WinRM support we recommend that you begin planning to migrate to using OpenSSH for Windows instead.

Phasing Out Support for 32-bit CPU Architectures

We are also planning to stop producing official releases for 32-bit CPU architectures (386 and arm) in a future version of OpenTofu. Support for 64-bit architectures (amd64 and arm64) is unaffected.

OpenTofu v1.12 does not include any changes to CPU support yet, but we expect that the official builds in the forthcoming v1.13 series will begin producing warnings when running on 32-bit CPU architectures, before we stop producing those packages altogether in a future release series.

Compatibility Notes

• macOS: Requires macOS 12 Monterey or later
• The OPENTOFU_USER_AGENT environment variable, which allowed fully overriding the default User-Agent header on all HTTP requests, has been removed.
• On Unix systems OpenTofu now considers the BROWSER environment variable as a possible override for the default behavior for launching a web browser. If you run OpenTofu in a context where an environment variable of that name is already set, it may cause OpenTofu to now open a web browser in a different way than previous versions would have. Unsetting that environment variable will restore the previous platform-specific behavior.

Reference

• Full Changelog
• Blog Post

Thank you for your continued support and testing of the OpenTofu project!

v1.11.8

Compare Source

SECURITY ADVISORIES:

• Previous releases in the v1.11 series could potentially take an excessive amount of time and send extraneous data to an HTTP2 server that specifies a maximum frame size of zero. This is now fixed. (#​4094)

  An attacker that can coerce an operator to install a dependency from an attacker-controlled server could use this to cause unexpected resource consumption during tofu init.

Full Changelog: opentofu/opentofu@v1.11.7...v1.11.8

v1.11.7

Compare Source

BUG FIXES:

• When installing provider packages into a local cache directory, the installer will now return an error if a conflicting entry is already present in the cache that doesn't match the expected checksum. Previously OpenTofu would just silently write over the existing entry in that case. (#​4082)

Full Changelog: opentofu/opentofu@v1.11.6...v1.11.7

v1.11.6

Compare Source

BUG FIXES:

• Running tofu apply -refresh-only with a configuration that contains ephemeral resources does not fail anymore because the refresh produced changes (#​3776)
• Fixed tofu init crashing when a module version uses a variable and the module is referenced from a test file. (#​3686)
• Fixed provider-defined functions in import block id expressions causing "BUG: Uninitialized function provider" error. (#​3803)
• tofu test no longer fails during cleanup when using a mocked version of a resource type with write-only attributes. (#​3964)
• A malicious remote TLS server can no longer deadlock OpenTofu by sending multiple key update messages in a single record. (#​3966)
• When installing module packages from "tar" archives, OpenTofu now accepts only a limited number of sparse file entries to avoid unbounded memory usage from maliciously-crafted archives containing many sparse regions. (#​3966)

Full Changelog: opentofu/opentofu@v1.11.5...v1.11.6

v1.11.5

Compare Source

BUG FIXES:

• Add universe_domain option in the gcs backend to support sovereign GCP services (#​3758)
• The azurerm backend's MSI authentication method will now respect the provided client ID (#​3586)
• Using a network mirror for the providers source does not print debug logs without being asked for (#​3736)

Full Changelog: https://github.com/opentofu/opentofu/blob/67fe9db49b7dafd46470cf9ac7f437aaa95f5c40/CHANGELOG.md

v1.11.4

Compare Source

SECURITY ADVISORIES:

• Previous releases in the v1.11 series could potentially take an excessive amount of time processing a maliciously-crafted .zip archive during either provider or module installation during tofu init. (#​3689)

BREAKING CHANGES:

• Modules containing local provider configurations now also reject the enabled argument, matching existing behavior for count, for_each, and depends_on. (#​3680)

  This was an oversight in the original design of the enabled feature and was missed during the review process. Although our goal is to not introduce breaking changes in patch releases, in some cases it may be warranted. Anyone who has used the enabled feature in this particular way will have unintentionally introduced a foot-gun into their infrastructure and should remedy it post-haste.

BUG FIXES:

• In JSON syntax, the state encryption method configuration now allows specifying keys using both normal expression syntax and using template interpolation syntax. Previously only the template interpolation syntax was allowed, which was inconsistent with other parts of the encryption configuration. (#​3654)
• Providers are not configured anymore with DeferralAllowed capability of OpenTofu since having that created unwanted behaviour from some providers. (#​3676)
• Resources containing write-only attributes now are rendered consistently during planning. (#​3667)

Full Changelog: opentofu/opentofu@v1.11.3...v1.11.4

---

Configuration

📅 Schedule: (in timezone Europe/Paris)

• Branch creation
  • Between 12:00 AM and 10:59 AM, only on Monday (* 0-10 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.